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13/5/1 (Item 1 from file: 6) 

DIALOG (R) File 6:NTIS 

(c) 2006 NTIS, Intl Cpyrght All Rights Res. All rts . reserv. 

1568356 NTIS Accession Number: AD-A230 437/6 

Example Secure System Specified Using the Terry-Wiseman Approach 

Harrold, C. L. 

Royal Signals and Radar Establishment, Malvern (England) . 
Corp. Source Codes: 053783000; 409929 

Sponsor: Defence Research Information Centre, Orpington (England) . 

Report No.: RSRE-90011; DRIC-BR-115326 

Jul 90 65p 

Languages : English 

Journal Announcement : GRAI9112 

Order this product from NTIS by: phone at 1-800-553-NTIS (U.S. 
customers) ; (703) 605-6000 (other countries) ; fax at (703) 321-8547; and 
email at ordersl^ntis . f edworld. gov. NTIS is located at 5285 Port Royal Road, 
Springfield, VA, 22161, USA. 

NTIS Prices: PC A04/MF AOl 

Country of Publication: United Kingdom 

This report presents the specification of operations for a secure 
document handling system (SERCUS) . The specification uses the Terry-Wiseman 
Security Policy Model and therefore acts as an example of the modelling 
approach. The specification uses the mathematical notation Z, and 
consequently also acts as an example of the use of Z in specifying secure 
systems . However, it must be noted that an appreciation of SERCUS, the 
model and modelling approach can usefully be gained even if the formal 
specifications are not read. The Terry-Wiseman Model and its interpretation 
are given as an Annex to this report. SERCUS is essentially an electronic 
registry system which controls the creation of, and access to, classified 
documents and mail messages . In the usual way, the users are assigned 
clearances which limit their ability to observe and modify the 
information in the system. In addition to their clearance, the users have 
a designated role to play. The possible roles are security officer and 
ordinary user , although there were also registry clerks in the original , 
longer, specification. Certain operations may only be performed by users 
with the appropriate role . For example, only security officers may 
create new legal users or review journalled information and, in the 
original specification, only registry clerks could cxeate files or add 
documents to files. Although the model does allow systems to be specified 
where individuals can have more than one role, this is not required in the 
SERCUS application, and each user is assigned a single fixed role. 

Descriptors: ^Documents; Classified materials; Electronic equipment; 
Files (Records ) ; Handling; Law enforcement ; Mathematics ; Model theory; 
Officer personnel ; Specifications 

Identifiers : * Foreign technology; * Data processing security ; 
NTISDODXA 

Section Headings: 62GE (Computers, Control, and Information 
Theory — General) 



16/5/2 (Item 2 from file: 2) 

DIALOG (R) File 2 : INSPEC 

(c) 2006 Institution of Electrical Engineers. All rts. reserv. 

02348946 INSPEC Abstract Number: C79016191 
Title: Mechanism for decentralization of security administration 

Author(s): Fernandez, E.B. 

Author Affiliation: IBM Corp., Armonk, NY, USA 

Journal: IBM Technical Disclosure Bulletin vol, 21, no. 6 p. 2529-31 
Publication Date: Nov. 1978 Country of Publication: USA 
CODEN: IBMTAA ISSN: 0018-8689 

Language: English Document Type: Journal Paper (JP) 
Treatment: Practical (P) 

Abstract: Describes a system of database security administrators 

which delegate and recall security functions and enforce global security 
policies at each delegated database partition. There exists the need in 
large shared databases to delegate security administration functions, 
i.e., to have administrators in charge of portions of the total database . 
A centralized security administrator only could result in severe 

bottlenecks. This mechanism allows security administrators to delegate 
part or all of their security functions, while maintaining some supervisory 
control over the delegated portions of the database. (0 Refs) 
Subfile: C 

Descriptors: database management systems; security of data 
Identifiers: decentralization of security administration; database 

security administrators ; global security policies; shared databases ; 

supervisory control; delegated portions 

Class Codes: C0310 (EDP management); C6160 (Database management systems 

(DBMS) ) 
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DIALOG (R) File 8:Ei Compendex(R) 

(c) 2006 Elsevier Eng. Info. Inc. All rts. reserv. 

04745280 E.I. No: EIP97073722064 

Title: EBMUD * s Pipe Dream - a project tracking system 

Author: Levine, Andrew J.; Butler, Carrie L.; Stanton, Raymond E.; Irias, 

Xavier J.; Miller, Marilyn L. 

Corporate Source: East Bay Municipal Utility District, Oakland, CA, USA 
Conference Title: Proceedings of the 1997 4th Congress on Computing in 

Civil Engineering 

Conference Location: Philadelphia, PA, USA Conference Date: 
19970616-19970618 
Sponsor: ASCE 

E.I. Conference No.: 46574 

Source: Computing in Civil Engineering (New York) 1997. ASCE, New York, 
NY, USA. p 449-456 

Publication Year: 1997 
CODEN: CCENEX 
Language: English 

Document Type: CA; (Conference Article) Treatment: G; (General Review); 
M; (Management Aspects) 

Journal Announcement; 97 08W4 

Abstract: Pipe Dream is a computerized system developed by East Bay 
Municipal Utility District (EBMUD) to schedule and track pipeline projects 
from planning through construction. At any one time, EBMUD has over 500 
active pipeline projects in some stage of planning, design, or 
construction. By centralizing all project information in one database, Pipe 
Dream replaces many individual, manual record-keeping systems used in over 
a dozen work units. Pipe Dream has a user-friendly, Windows standard 
interface for entering and viewing data. Sophisticated sorting and 
filtering features allow queries of incoming projects, late projects, or 
projects assigned to a particular engineer. Customized reports show current 
project status, statistics on average duration, resource loading, and 
backlog. The Pipe Dream tracking system was developed in Microsoft Visual 
Basic and accesses data contained in Microsoft Access and Oracle databases. 

Security controls maintain data integrity by allowing only the 
project manager to change basic project information. Schedule changes 
for a particular work unit can only be made by a member of that unit. Since 
Pipe Dream allows all parties to enter and track their projects and 
constraints in real time, it enables pro-active management of multiple 
projects. By displaying anticipated tasks as well as current status and 
historical durations, estimated completion dates can be accessed at any 
time. (Author abstract) 

Descriptors: ^Pipelines; Project management; Scheduling; User interfaces; 
BASIC (programming language) ; Query languages; Management information 
systems; Real time systems 

Identifiers: Project tracking systems; Software package WINDOWS; Software 
package pipe dream; Visual basic (programming language) 

Classification Codes : 

723.1.1 (Computer Programming Languages) 

619.1 (Pipe, Piping & Pipelines); 912.2 (Management); 722.2 (Computer 
Peripheral Equipment); 723.1 (Computer Programming); 723.3 (Database 
Systems); 723.2 (Data Processing) 

619 (Pipes, Tanks & Accessories); 912 (Industrial Engineering & 
Management) ; 722 (Computer Hardware) ; 723 (Computer Software) 

61 (PLANT & POWER ENGINEERING); 91 (ENGINEERING MANAGEMENT); 72 
(COMPUTERS & DATA PROCESSING) 



22/5/1 (Item 1 from file: 6) 

DIALOG (R) File 6:NTIS 

(c) 2006 NTIS, Intl Cpyrght All Rights Res. All rts. reserv. 

1320954 NTIS Accession Number: AD-A183 361/5 

Demonstration of a Trusted Computer Interface between a Multilevel Secure 
Command and Control System and Untrusted Tactical Data Systems 

(Master's thesis) 
Rector, G. E. 

Naval Postgraduate School, Monterey, CA. 
Corp. Source Codes: 019895000; 251450 
Mar 87 161p 

Languages: English Document Type: Thesis 
Journal Announcement: GRAI8722 

Order this product from NTIS by: phone at 1-800-553-NTIS {U.S. 
customers); (703)605-6000 (other countries); fax at (703)321-8547; and 
email at orderslintis . f edworld . gov . NTIS is located at 5285 Port Royal Road, 
Springfield, VA, 22161, USA. 

NTIS Prices: PC A08/MF AOl 

Country of Publication: United States 

The task of this research is to demonstrate a multilevel secure interface 
between a system operating at multiple security levels and other untrusted 
systems operating at a single security level. Without a trusted interface 
device, these systems cannot be electronically connected. All 
communications between the systems must be done manually with all 
information transfer being reviewed by a security officer . Only 
releasable information is printed or stored in a removable medium and hand 
carried to the other system. In contrast, a trusted, multilevel secure 
guard can connect untrusted systems eletronically and control the release 
of sensitive information. This task will demonstrate the ability of a 
multilevel trusted system to interface with untrusted systems operating at 
different levels of security. Keywords: GEMSOS (Gemini Secure Operating 
System) . 

Descriptors: ^Communication and radio systems; ^Tactical data systems; 

^Information transfer; *Command and control systems; ^Security; Computers; 

Interfaces; Control; Officer personnel; Secure communications; Sensitivity 
Identifiers: ^Operating systems (Computers ) ; Computer security; NTISDODXA 
Section Headings: 74G (Military Sciences — Military Operations, Strategy, 

and Tactics); 45C (Communication — Common Carrier and Satellite) 
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DIALOG (R) File 348: EUROPEAN PATENTS 

(c) 2006 European Patent Office. All rts . reserv. 



00468476 

Security system for electronic printing systems 

Si cherheits system fur elektronische Drucksysteme 

Systeme de securite pour systemes d * impressions electroniques 

PATENT ASSIGNEE: 

XEROX CORPORATION, (219781), Xerox Square - 020, Rochester New York 14644 
, (US), (applicant designated states: DE;FR;GB) 
INVENTOR: 

Rourke, John L., 94 Waterford Way, Fairport, N.Y. 14450, (US) 
Wing, Peter D., 94 Hefner Drive, Webster, N.Y. 14580, (US) 
Ratcliffe, Jack F., II, 19 Sunset Boulevard, Pittsford, N.Y. 14534, (US) 
Valliere, Paul J,, 15 Grimsby Gate, Fairport, N.Y. 14450, (US) 
LEGAL REPRESENTATIVE: 

Grunecker, Kinkeldey, Stockmair & Schwanhausser Anwaltssozietat (100721) 
, Maximilianstrasse 58 , 80538 Munchen, (DE) 
PATENT (CC, No, Kind, Date) : EP 477570 A2 920401 (Basic) 

EP 477570 A3 921007 
EP 477570 Bl 990512 
APPLICATION (CC, No, Date): EP 91114459 910828; 
PRIORITY (CC, No, Date) : US 591330 900928 
DESIGNATED STATES: DE; FR; GB 

INTERNATIONAL PATENT CLASS (V7) : G06F-001/00; 
ABSTRACT WORD COUNT: 4 9 

LANGUAGE ( Publication, Procedural , Application) : English; English; English 
FULLTEXT AVAILABILITY: 
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...SPECIFICATION user would have full access to any function available on 
the system 

(2) a partially secure site would allow User IDs to be assigned to 
some users at the Security Administrator... 

...a fully secured site where all users are assigned a User ID by the 
Security administrator . 

(4) fully secured site with passwords would allow some or all users, 
at the discretion of the Security administrator , to employ their own 
password to control access to the user's own files that are in the 
system. 

A Site administrator is normally provided (although one 
administrator may serve in both Site and Security Administrator 
capacities) . The Site administrator is considered a privileged user 
and as such has certain privileges over and above those of either a 
secure or non - secure user . The Site administrator typically 
establishes the programming features and functions that the site will 
have, the system default... 



15/3, K/5 (Item 5 from file: 348) 

DIALOG (R) File 34 8: EUROPEAN PATENTS 

(c) 2006 European Patent Office. All rts . reserv. 

00958366 

Method and apparatus for storing and controlling access to information 
Verfahren und Vorrichtung zur Speicherung von Daten und Steuerung des 
Zugriffs dazu 

Methode et dispositif pour le stockage des donnees et I'acces a celles-ci 

PATENT ASSIGNEE: 

PITNEY BOWES INC., (244957), World Headquarters, One Elmcroft Road, 

Stamford, Connecticut 06926-0700, (US), (Proprietor designated states: 
all) 
INVENTOR: 

Basso, Michael R., 10 Boulder Road, Norwalk, Connecticut 06854, (US) 
Lee, Joonho, 127 Promenade Drive, Hamden, Connecticut 06514, (US) 
Li, Chunhua, 134 Sugar Hill Road, North Haven, Connecticut 06473, (US) 
LEGAL REPRESENTATIVE: 

Avery, Stephen John et al (47695), Hoffmann Eitle, Patent- und 
Rechtsanwalte, Arabellastrasse 4, 81925 Munchen, (DE) 
PATENT (CC, No, Kind, Date) : EP 869460 A2 981007 (Basic) 

EP 869460 A3 991103 
EP 869460 Bl 030618 
APPLICATION (CC, No, Date): EP 98103816 980304; 
PRIORITY (CC, No, Date) : US 810746 970304 
DESIGNATED STATES: DE; FR; GB 

EXTENDED DESIGNATED STATES: AL; LT; LV; MK; RO; SI 
INTERNATIONAL PATENT CLASS (V7): G07F-007/10 
ABSTRACT WORD COUNT: 192 
NOTE: 

Figure number on first page: 1 

LANGUAGE ( Publication , Procedural , Application) : English; English; English 
FULLTEXT AVAILABILITY: 
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Word Count 
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.SPECIFICATION disadvantage that a system failure which prevents 
communication with the Trusted Authority would prevent any access to 
the encrypted information. Accordingly, in other embodiments of the 
subject invention the smartcard of... 

,P or of provider H may store the key used to encrypt certain sensitive, 
critical, information , and maybe programmed to decrypt and output this 
information for certain providers who are certified by the Certifying 
Authority as having emergency authorization to access such information 

even in the event of a system failure. For example, the head of an 
emergency medical service might have authority to access such 
sensitive , critical data in the event of a system failure while other 
medical personal could only access such data with an access code 
issued by a Trusted Authority, but without needing immediate access to 
the Trusted Authority , Of course, non- sensitive information , such 



as blood type, can simply be printed on the face of the card. 
Turning . . . 

.SPECIFICATION for certain providers who are certified by the Certifying 
Authority as having emergency authorization to access such information 

even in the event of a system failure. For example, the head of an 
emergency medical service might have authority to access such 
sensitive , critical data in the event of a system failure while other 
medical personnel could only access such data with an access code 
issued by a Trusted Authority, but without needing immediate access to 
the Trusted Authority . Of course, non- sensitive information , such 
as blood type, can simply be printed on the face of the card. 
Turning . . . 
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DIALOG (R) File 34 9: POT FULLTEXT 

(c) 2006 WIPO/Univentio. All rts. reserv. 

00450528 **Image available** 

METHODS AND APPARATUS FOR CONTROLLING ACCESS TO INFORMATION 
PROCEDES ET APPAREIL DE CONTROLE D'ACCES A DES INFORMATIONS 

Patent Applicant /Assignee : 

INTERNET DYNAMICS INC, 
Inventor { s ) : 

JENSEN Daniel, 

LIPSTONE Laurence R, 

RIBET Michael B, 

SCHNEIDER David S, 
Patent and Priority Information (Country, Number, Date) : 

Patent: WO 9840992 A2 19980917 

Application: WO 98US4522 19980309 (PCT/WO US9804522) 

Priority Application: US 9739542 19970310; US 9740262 19970310; US 

9834587 19980304; US 9834503 19980304; US 9834507 19980304; US 9834576 

19980304 
Designated States: 
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Publication Language: English 
Fulltext Word Count: 38574 

...International Patent Class (v7): G06F-001/00 
Fulltext Availability: 
Detailed Description 

Detailed Description 

up, a built-in administrative policy gives a built-in administrative 
user group called the security officer the right to make 
administrative policy for all objects in the system. Members of the 
security officer user group delegate rights to make administrative 
policy to other administrative user groups as required. . .that the right 
to administer an information set is separate from the right to make 
access policy for the information set. The fact that a user group has 
the right to make access policy concerning an information set does 
not give the user group the right to make administrative policy for the 
information set, and vice-versa. When an access filter 203 is first set 
up, a single built-in security officer user group has 
administrative authority over all of the objects in VPN 201 and over 
policy. . . 

. . .with administrative policy 

Inheritance works with administrative policy the same way that it does 
with access policy , 

The user groups, information sets, and available resources to which 
administrative policies are directed are hierarchically organized... 
Engineers 

2511, Engineering Data 2513, and over access to Engineering Data to 
Engineering Administrators 2509. 



Security Officer 2503 of course still has administrative authority 
over 

Engineering Administrators and can use that authority ... a member of the 
group is an aebninistrator , i.e., can make administrative policy, a 
security officer , i.e., can make policy maker policy, or a simple user 
of information. User group... 
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confidential data such as salary information, in distributed 
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administrators needed to access the encrypted data , thereby reducing 
the security problem arising from allowing a large number of system 
administrators to have access to the encrypted data. 

DESCRIPTION OF DRAWING (S) - The figure shows the schematic view of 
the distributed computing system. 
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NOVELTY - Basic secret and subordinate administrators (A1-A3) 
are selected by a main administrator (A) . Identity in the form of 
unique prime number is provided to all administrators and associated 
final operators. Sub-secret is allocated to subordinate administrators 
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